Re: migrate python script from sudo to doas
Hi Vincent Am 30.10.2018 um 16:03 schrieb Vincent Legoll: Maybe you should try like the following: cmd = ['doas', 'useradd', '-u', user_id, '-g', '=uid', '-s', '/sbin/nologin', '-d', mb_parent_dir, user_name] exit = subprocess.check_call(cmd) this doesn't solve the problem, if I try like that check_call complains that it need a string as user_id. If I do make something like u_id = '%s' %user_id and plug u_id as the arg I'm back to square one. So it seems this seems a doas related issue and needs some adjustment in doas.conf. If this isnt resolvable I will just install sudo package using the "pointing a cannon at a sparrow" approach :( regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
syntax error and doas.conf
Hi all, just something I notice while trying out stuff with doas and my python scripts. If you do a mistake and have a syntax error in the doas.conf file you can easily look you self out from root privilages :( consider a a case where your root has no pw, you are the guy in the wheel group and of course you have only this line permit persist keepenv :wheel so far everything is peachy ok we are going to add a new line permit nopass foo as root cmt /root/scripts/dosomething and we save it ... ups we did a mistake an like to fix it, no worries we can ... or cant we? doas vi /etc/doas.conf doas: syntax error at line 15 at this point you are a bit screwed because you cant edit the doas.conf you cant reboot you only way seems to be a switch off. Ok maybe there other was but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in single user mode, make a fsck because , mount the patritions, export the TERM var so yu get a vi. Well seems we are back in business but no we cant edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple to /etc and be done with it. At that point 5 to 10 min of your life is wasted with silly stuff but you may have learn at least one thing ... read again what you just wrote before you save it :) Have a nice day list :) and happy helloween -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Bluetooth Support
Thanks for your help, but this does not work. The Bluetooth keyboard is not recognized from the system. As I wrote before, I closed this issue and use an USB-keyboard. Bluetooth I never liked. :-) On Tue, Oct 30, 2018 at 07:36:40PM -0400, mar...@martinbrandenburg.com wrote: > > From s...@spacehopper.org Tue Oct 30 19:32:56 2018 > > To: misc@openbsd.org > > From: Stuart Henderson > > Subject: Re: Bluetooth Support > > Date: Tue, 30 Oct 2018 23:24:04 + (UTC) > > > > On 2018-10-30, Marco Menne wrote: > > > Hello there, > > > > > > I installed OpenBSD 6.4 on an old iMac from 2010 and nearly everything > > > works fine. The sound is cruel but this is a minor problem. > > > The Apple has a Bluetooth keyboard and I do not find a way to get it > > > working. I read in some forum that Bluetooth is not supported in OpenBSD. > > > Is this true? > > > I can use an USB-Keyboard, of course, but the Apple keyboard is fine and > > > it > > > would be a little bit sad, if I had to change to an usb one. > > > > > > Greetings, Marco > > > - - - > > > Marco Menne > > > marco.menn...@gmail.com > > > GnuPG-Public-Key: > > > https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x96A01AB59F6F7ECF > > > > > > > AIUI the firmware on some Apples does actually present a Bluetooth > > keyboard as a standard keyboard, but I suspect this one will be too > > old for this and would need an OS that has its own Bluetooth support. > > > > > > Way back in 2012, I ran OpenBSD on a 2008 MacBook Pro with a Bluetooth > keyboard and it presented as USB and worked fine. > > I ran it for a while actually before I realized and had to ask myself > how in the world this even works. > > Marco, you can test this easily without installing simply by checking to > see if you can type at the bootloader prompt. > -- Marco Menne marco.menn...@gmail.com
Re: syntax error and doas.conf
On 10:42 Wed 31 Oct, Markus Rosjat wrote: > Hi all, > > just something I notice while trying out stuff with doas and my python > scripts. If you do a mistake and have a syntax error in the doas.conf file > you can easily look you self out from root privilages :( > > consider a a case where your root has no pw, you are the guy in the wheel > group and of course you have only this line > > permit persist keepenv :wheel > > so far everything is peachy ok we are going to add a new line > > permit nopass foo as root cmt /root/scripts/dosomething > > and we save it ... ups we did a mistake an like to fix it, no worries we can > ... or cant we? > > doas vi /etc/doas.conf > > doas: syntax error at line 15 > > > at this point you are a bit screwed because you cant edit the doas.conf you > cant reboot you only way seems to be a switch off. Ok maybe there other was > but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in > single user mode, make a fsck because , mount the patritions, export the > TERM var so yu get a vi. Well seems we are back in business but no we cant > edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple > to /etc and be done with it. At that point 5 to 10 min of your life is > wasted with silly stuff but you may have learn at least one thing ... read > again what you just wrote before you save it :) > > > Have a nice day list :) and happy helloween Well, that's why we have sudoedit. With doas your are forced to $ doas cp -p /etc/doas.conf /etc/doas.conf.new $ doas vi /etc/doas.conf.new $ doas -C /etc/doas.conf.new $ doas mv /etc/doas.conf.new /etc/doas.conf
Re: syntax error and doas.conf
Hi Am 31.10.2018 um 10:52 schrieb Consus: Well, that's why we have sudoedit. With doas your are forced to $ doas cp -p /etc/doas.conf /etc/doas.conf.new $ doas vi /etc/doas.conf.new $ doas -C /etc/doas.conf.new $ doas mv /etc/doas.conf.new /etc/doas.conf yeah and by default there is no sudo package installed or is it (at least it isnt in the 6.x releases if I remember right)?! Just try a sudoedit on a fresh install and see if it works. As fas as I understand the doas approach its there to provide a simple way of archiving things like sudo /do/this/cmd because 99% of the time you only need root priv to do something like that. So some very nice guy, I think is name is Ted, thought "hey lets simplify it and skip all the heavy stuff that sudo brings along". At least I imagine he thought something like that :) regard -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd and google smtp ips
On Tue, 30 Oct 2018 18:54:43 + Chris Narkiewicz wrote: > Are there any solutions get around this problem? Ideally I'd like > to just whitelist reputable mail providers ... Yes Chris, see: http://web.Britvault.Co.UK/products/ungrey-robins/ Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: syntax error and doas.conf
On 31.10.18 10:42, Markus Rosjat wrote: > Hi all, > > just something I notice while trying out stuff with doas and my python > scripts. If you do a mistake and have a syntax error in the doas.conf > file you can easily look you self out from root privilages :( > > consider a a case where your root has no pw, you are the guy in the > wheel group and of course you have only this line > > permit persist keepenv :wheel > > so far everything is peachy ok we are going to add a new line > > permit nopass foo as root cmt /root/scripts/dosomething > > and we save it ... ups we did a mistake an like to fix it, no worries we > can ... or cant we? > > doas vi /etc/doas.conf > > doas: syntax error at line 15 > > > at this point you are a bit screwed because you cant edit the doas.conf > you cant reboot you only way seems to be a switch off. Ok maybe there > other was but hey I'm no pro Im a simple user and its a vm so switch it > off. Boot in single user mode, make a fsck because , mount the > patritions, export the TERM var so yu get a vi. Well seems we are back > in business but no we cant edit /etc/doas.conf. Doesnt matter we came so > far we simply copy the exmaple to /etc and be done with it. At that > point 5 to 10 min of your life is wasted with silly stuff but you may > have learn at least one thing ... read again what you just wrote before > you save it :) > > > Have a nice day list :) and happy helloween > > -- > Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT > Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno -- Don't trust a man wearing a better suit than your own
Re: spamd and google smtp ips
* Stuart Henderson le [30-10-2018 23:39:23 +]: > On 2018-10-30, Chris Narkiewicz wrote: > > Hi, > > > > I'm configuring spamd and I noticed that when I send an e-mail from > > GMail, each time the e-mail is submitted by a different IP address. > > > > Here is spamdb output after sending a test email to myself: > > > > GREY|209.85.219.182|mail-yb1-f182.google.com|... > > GREY|209.85.219.177|mail-yb1-f177.google.com|... > > GREY|209.85.219.176|mail-yb1-f176.google.com|... > > GREY|209.85.219.172|mail-yb1-f172.google.com|... > > GREY|209.85.219.180|mail-yb1-f180.google.com|... > > GREY|209.85.219.175|mail-yb1-f175.google.com|... > > GREY|209.85.219.173|mail-yb1-f173.google.com|... > > GREY|209.85.219.179|mail-yb1-f179.google.com|... > > GREY|209.85.208.46|mail-ed1-f46.google.com|... > > GREY|209.85.161.52|mail-yw1-f52.google.com|... > > ... snip ... > > > > Of course they are not whitelisted, as each submission > > attempt is done by a different node and I guess google has A LOT of > > them. I see 2 issues with that: > > > > 1) e-mail delivery takes a lot of time (as google uses exponential > > backoff and stops frequent retries after few failures) > > > > 2) whitelisted IPs are more likely being expired, as my server is > > not getting a lot of gmail traffic > > > > I suppose different big e-mail providers will > > have similar issues. > > > > I'm also running BGP server to download a whitelist, > > but it does not contain google servers. > > > > Are there any solutions get around this problem? Ideally I'd like > > to just whitelist reputable mail providers as I see little chance > > that any spammer will outsmart Google/Yahoo/Microsoft/etc. To solve this problem, I use two methods : ## whitelist from bsdly.net (thaniks again peter : ) In /etc/pf.conf table persist file "/etc/mail/nospamd" pass in on egress proto tcp from to any port smtp /in /etc/weekly.local : echo "update nospamd file" ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd ## whitelist from spf walk : In /etc/mail/spamd.conf : all:\ :nixspam:bgp-spamd:bsdlyblack:whitelist: ... whitelist:\ :white:\ :method=file:\ :file=/etc/mail/whitelist.txt In /etc/weekly.local : /usr/local/bin/domain-white-spamd In /usr/local/bin/domain-white-spamd, adjust with domins you need : TMP=$(mktemp) WHITELIST=/etc/mail/whitelist.txt DOMAINS='outlook.com gmail.com google.com hotmail.com yahoo.com yahoo.fr live.fr mail-out.ovh.net mxb.ovh.net gandi.net laposte.net github.com protonmail.com ' for d in $DOMAINS; do echo "$d" | smtpctl spf walk >> "$TMP" done mv "$TMP" "$WHITELIST" exit 0 -- thuban
Re: ikev2 and road warriors setup
On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up You don't need an IP on enc0 # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" Try something like this, it works for both Win7 and Win10: /etc/iked.conf - ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer any \ srcid $srcid \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" 'access-server' tells Windows what gateway to use for 'protected-subnet' (see iked.conf(5)). smime.p7s Description: S/MIME Cryptographic Signature
Re: syntax error and doas.conf
Hi Bruno, Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger: On 31.10.18 10:42, Markus Rosjat wrote: Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno thank you for the attitude! Now I learned even more it's better not to share mistakes and keep them to yourself so the real pros are not bored by your findings because they are to simple to be made. I appreciate it! -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd and google smtp ips
On 30.10.2018 20:46, Chris Narkiewicz wrote:
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
yes, a well-known problem, and it's what nospamd (hinted at in the spamd
man pages) is for.
To some extent it helps to whitelist IP addresses and networks that
domains list in their SPF info.
Yeah, I hoped there are some reputable sources of validated mail
sources based on SPF and DKIM.
I'll give a try to your compiled list, but the fact you maintain
it manually is a bit discouraging.
I ran into this problem as well.
I ended up writing a script that parses the SPF entries out of the
greylist and if reasonable, whitelists those ranges and removes the grey
list entries. It runs every 15 minutes.
This works with the following rules
pass in quick on $extIf proto tcp from to $pubIp port smtp \
rdr-to $mailsrv
pass in quick on $extIf proto tcp from ! to $pubIp port smtp \
rdr-to 127.0.0.1 port $spamdPort
The trapping function when it goes to the wrong recipient works for me
and probably does not scale.
The spamdb -Gd calls to remove the greylist entries are something i
patched into spamd, but it seems that functionality has somehow made it
into the regular binary.
The script is fairly debugged and has run for me over a year with good
results, but seriously lacks tests of any kind.
Your mileage may vary.
--
Mit freundlichen Grüßen/Best regards
Mario Theodoridis
#!/usr/bin/env python2.7
import subprocess, traceback, os, re, sys, time
import dns.resolver, dns.name, dns.exception
import socket,struct
def doLog(msg, caller=2):
debugLog = '/var/log/scanSpam.log'
stk = traceback.extract_stack()
orig = ''
for i in range(0, len(stk)-caller):
if stk[i][3] == None:
orig += '__main__:'
else:
orig += stk[i][3] + ':'
x = stk[-caller][1]
out = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) + ' ' + msg \
+ ' STACK[' + orig + str(x) + ']\n'
wh = open(debugLog, 'a')
wh.write(out)
wh.close()
def run(command, caller=3):
""" run(command) -> (returncode, stdout, stderr)
Runs the given command in the shell and returns the output and return code """
proc = subprocess.Popen(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()
doLog("COM:[" + command + "] RC:[" + str(proc.returncode) + "185 OUT:[" \
+ out.strip() + "] ERR:[" + err.strip() + "]", caller)
return (proc.returncode, out, err)
def makeMask(n):
"return a mask of n bits as a long integer"
return (2L< 1:
try:
mask = int(pcs[1])
except ValueError:
mask = 32
else:
mask = 32
return (ip, mask)
def addressInNet(ip, net_n_bits):
ipaddr = struct.unpack('>L', socket.inet_aton(ip))[0]
net, bits = getIpNetMask(net_n_bits)
netaddr = struct.unpack('>L', socket.inet_aton(net))[0]
netmask = (1 << 32) - (1 << 32 - bits)
return ipaddr & netmask == netaddr & netmask
def getIplist(dName, ipl, isRecursive=False):
global recursions, hosts
domain = dName.to_text()
if hosts.has_key(domain):
doLog("Ignoring duplicate domain {0:s}".format(domain))
return
hosts[domain] = True
recursions += 1
if recursions > 50:
doLog("Over {0:d} recursions, quitting".format(recursions))
return
try:
answers = dns.resolver.query(dName, 'TXT')
except dns.exception.DNSException:
if len(dName.labels) > 3:
p = dName.parent()
getIplist(p, ipl)
return
for data in answers:
for txt in data.strings:
doLog("recursion {0:d} queried [{1:s}]".format(recursions, txt))
f = txt.split(' ')
if re.match('v=spf1', f[0].strip()):
parseSpf(f[1:], ipl, dName)
def getARecord(dName, ipl, subnet=''):
try:
answers = dns.resolver.query(dName, 'A')
except dns.exception.DNSException:
return
for data in answers:
ipl.append(data.address+subnet)
def getMxRecord(dName, ipl, subnet=''):
try:
answers = dns.resolver.query(dName, 'MX')
except dns.exception.DNSException:
return
for data in answers:
mx = data.exchange.to_text()
if re.match('^[\d\.]{7,15}$', mx):
ipl.append(mx+subnet)
continue
getARecord(mx, ipl, subnet)
def parseSpf(fields, ipl, dName):
for fld in fields:
doLog('parsing [{0:s}]'.format(fld))
kv = fld.split(':')
key = kv[0].strip()
m = re.search('^(a|mx)(/|:|$)', key)
if m:
type = m.group(1)
if type == 'a':
getter = getARecord
else:
getter = getMxRecord
cdr = key.split('/')
if len(cdr) == 2:
# a/24
getter(dName, ipl, '/'+cdr[1])
Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
Hi, When in "cat" or "dd if=/dev/zero of=/dev/zero" or "gzip < /dev/zero > /dev/zero", if I press ctrl+4, the program coredumps. Doing it in ksh or sh has no effect though. This is in OpenBSD 6.4 AMD64 from Putty on Windows. The console interaction looks like this: $ cat ^\Quit (core dumped) $ Is ctrl+4 a universal SIGQUIT+coredump shortcut? Where are the other shortcuts apart from ctrl+C, ctrl+Z, ctrl+D, documented? Tinker
Re: Why&how do "sh" and "ksh" differ in behavior e.g. PS1 presentation, while their binaries are equal?
On Tuesday, October 30, 2018 4:33 PM, Sebastien Marie wrote:
> On Tue, Oct 30, 2018 at 08:11:24AM +, Joseph Mayer wrote:
>
> > On a quick sourcecode check I didn't see any code paths e.g.
> > "if (argv[0] matches "ksh") { something } else { something else }"
> > however I presume I missed something.
>
> yes, the check was too quick, it seems :)
>
> src/bin/ksh/main.c
> 134 int
> 135 main(int argc, char *argv[])
> 136 {
> 137 int i;
> 138 int argi;
> 139 Source *s;
> 140 struct block *l;
> 141 int restricted, errexit;
> 142 char *wp;
> 143 struct env env;
> 144 pid_t ppid;
> 145
> 146 kshname = argv[0];
> 147
> ...
> 236 / Check to see if we're /bin/sh. */237 if (!strcmp(kshname, "sh") ||
> !strcmp(kshname, "-sh") ||
> 238 (strlen(kshname) >= 3 &&
>
> 239 !strcmp(&kshname[strlen(kshname) - 3], "/sh"))) {
> 240 Flag(FSH) = 1;
> 241 version_param = "SH_VERSION";
> 242 }
> 243
>
> -
>
> Sebastien Marie
Hi Sebastien,
Thanks a lot for clarifying.
sh's man page (http://man.openbsd.org/sh#DESCRIPTION) says:
"This version of sh is actually ksh in disguise. As such, it also
supports the features described in ksh(1). This manual page describes
only the parts relevant to a POSIX compliant sh."
When I read that originally, I perceived it as that "sh" and "ksh"
normally would have equivalent behavior - which also seems logical
given that their binaries are byte-equivalent.
The meaning I gather from the sentence is that sh and ksh are
equivalent and that instead the man pages will describe different
functionalities that are actually available in both.
Can that phrase in sh's man page be tweaked so that my misunderstanding
no longer is possible?
Do you find my misunderstanding a reasonable reading?
Joseph
Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
On 2018-10-31, Tinker wrote: > Hi, > > When in "cat" or "dd if=/dev/zero of=/dev/zero" or "gzip < /dev/zero > > /dev/zero", if I press ctrl+4, the program coredumps. > > Doing it in ksh or sh has no effect though. > > This is in OpenBSD 6.4 AMD64 from Putty on Windows. > > The console interaction looks like this: > > $ cat > ^\Quit (core dumped) > > $ > > > Is ctrl+4 a universal SIGQUIT+coredump shortcut? > > Where are the other shortcuts apart from ctrl+C, ctrl+Z, ctrl+D, > documented? > > Tinker > > No idea how ^4 is mapped to ^\, but for some reason it is, and this the default for "quit", see "stty -a". This is a useful sequence to interrupt boot if you weren't quick enough to "boot -s" to enter single-user mode.
Re: syntax error and doas.conf
On 2018-10-31, Markus Rosjat wrote: > just something I notice while trying out stuff with doas and my python > scripts. If you do a mistake and have a syntax error in the doas.conf > file you can easily look you self out from root privilages :( If you aren't sure about a change you're about to make, keep a spare root shell open (or at least keep the editor open - save the file but don't exit - and test on another terminal).
Re: Why&how do "sh" and "ksh" differ in behavior e.g. PS1 presentation, while their binaries are equal?
On Wednesday, October 31, 2018 10:19 PM, Joseph Mayer
wrote:
> On Tuesday, October 30, 2018 4:33 PM, Sebastien Marie sema...@online.fr wrote:
>
> > On Tue, Oct 30, 2018 at 08:11:24AM +, Joseph Mayer wrote:
> >
> > > On a quick sourcecode check I didn't see any code paths e.g.
> > > "if (argv[0] matches "ksh") { something } else { something else }"
> > > however I presume I missed something.
> >
> > yes, the check was too quick, it seems :)
> > src/bin/ksh/main.c
> > 134 int
> > 135 main(int argc, char *argv[])
> > 136 {
> > 137 int i;
> > 138 int argi;
> > 139 Source *s;
> > 140 struct block *l;
> > 141 int restricted, errexit;
> > 142 char *wp;
> > 143 struct env env;
> > 144 pid_t ppid;
> > 145
> > 146 kshname = argv[0];
> > 147
> > ...
> > 236 / Check to see if we're /bin/sh. */237 if (!strcmp(kshname, "sh") ||
> > !strcmp(kshname, "-sh") ||
> > 238 (strlen(kshname) >= 3 &&
> > 239 !strcmp(&kshname[strlen(kshname) - 3], "/sh"))) {
> > 240 Flag(FSH) = 1;
> > 241 version_param = "SH_VERSION";
> > 242 }
> > 243
> >
> > Sebastien Marie
>
> Hi Sebastien,
>
> Thanks a lot for clarifying.
>
> sh's man page (http://man.openbsd.org/sh#DESCRIPTION) says:
>
> "This version of sh is actually ksh in disguise. As such, it also
> supports the features described in ksh(1). This manual page describes
> only the parts relevant to a POSIX compliant sh."
>
> When I read that originally, I perceived it as that "sh" and "ksh"
> normally would have equivalent behavior - which also seems logical
> given that their binaries are byte-equivalent.
>
> The meaning I gather from the sentence is that sh and ksh are
> equivalent and that instead the man pages will describe different
> functionalities that are actually available in both.
>
> Can that phrase in sh's man page be tweaked so that my misunderstanding
> no longer is possible?
>
> Do you find my misunderstanding a reasonable reading?
>
> Joseph
Moving this to bugs@ , sorry for spam.
Re: spamd and google smtp ips
On 10/30/18 8:05 PM, Mario Theodoridis wrote: > I ran into this problem as well. > I ended up writing a script that parses the SPF entries out of the greylist > and > if reasonable, whitelists those ranges and removes the grey > list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script?
Re: Bluetooth Support
On 10/31/18 9:42 AM, Marco Menne wrote: > Bluetooth I never liked. :-) Especially when the Bluetooth spec, specified ecdh without following the security requirements of must validate the curves as clearly laid out by GECC (guide to ECC). I guess Linux and some Intel products did the same or copied code. Unbelievable!
Re: syntax error and doas.conf
On 10/31/18 10:42 AM, Markus Rosjat wrote: ... doas vi /etc/doas.conf # Edit in vi :w :! doas -C % You don't even have to leave your editor smime.p7s Description: S/MIME Cryptographic Signature
Re: syntax error and doas.conf
Stuart Henderson wrote: > On 2018-10-31, Markus Rosjat wrote: > > just something I notice while trying out stuff with doas and my python > > scripts. If you do a mistake and have a syntax error in the doas.conf > > file you can easily look you self out from root privilages :( > > If you aren't sure about a change you're about to make, keep a spare > root shell open (or at least keep the editor open - save the file > but don't exit - and test on another terminal). When editing files, most of the time I go back to the shell using ^Z (editor go in background), I do what's related to the file (try doas, restart httpd until it works, etc..). And I use fg when I need to come back to the editor. When playing with doas or sshd, I would recommend for doas to keep a root shell opened in case you screw the file. And for sshd, when restarting it on a remote machine, try to connect to it before exiting your current ssh session.
Re: syntax error and doas.conf
Stuart Henderson writes: > If you aren't sure about a change you're about to make, keep a spare > root shell open (or at least keep the editor open - save the file > but don't exit - and test on another terminal). I would add that this is not really OpenBSD-specific. Yes there's no direct analogue to visudo(8) but it's perfectly possible to lock yourself out of sudo access even with a correctly formatted /etc/sudoers file, and visudo will happily let you shoot yourself in the foot that way. With the sudoers(5) man page clocking in at about 20x the size of the doas.conf(5) page, it's probably quite likely. Allan
Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
On 10/31/18 10:54 AM, Stuart Henderson wrote: On 2018-10-31, Tinker wrote: Hi, When in "cat" or "dd if=/dev/zero of=/dev/zero" or "gzip < /dev/zero > /dev/zero", if I press ctrl+4, the program coredumps. Doing it in ksh or sh has no effect though. This is in OpenBSD 6.4 AMD64 from Putty on Windows. The console interaction looks like this: $ cat ^\Quit (core dumped) $ Is ctrl+4 a universal SIGQUIT+coredump shortcut? Where are the other shortcuts apart from ctrl+C, ctrl+Z, ctrl+D, documented? Tinker No idea how ^4 is mapped to ^\, but for some reason it is, and this the default for "quit", see "stty -a". This is a useful sequence to interrupt boot if you weren't quick enough to "boot -s" to enter single-user mode. You can also find more details in the termios(4) man page, specifically the Special Characters section. - Aner
Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
On 2018-10-31, Stuart Henderson wrote: > No idea how ^4 is mapped to ^\, but for some reason it is, This goes back to the VT220, if not older terminals. Ctrl-3 for ESC aka ^[ is particularly handy if the Esc key is in some inconvenient place as on most PC keyboards. See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in the VT220 Programmer Reference Manual: https://vt100.net/docs/vt220-rm/table3-5.html -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
On 10/31/18 2:15 PM, Christian Weisgerber wrote: On 2018-10-31, Stuart Henderson wrote: No idea how ^4 is mapped to ^\, but for some reason it is, This goes back to the VT220, if not older terminals. Ctrl-3 for ESC aka ^[ is particularly handy if the Esc key is in some inconvenient place as on most PC keyboards. See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in the VT220 Programmer Reference Manual: https://vt100.net/docs/vt220-rm/table3-5.html Looks like this is implemented by the different terminal emulators so it varies. For vte (gnome-terminal, terminator, ...), it looks like this is the code that sets up this behavior: https://github.com/GNOME/vte/blob/master/src/keymap.cc#L146 - Aner
Re: spamd and google smtp ips
On 31.10.2018 17:09, Kevin Chadwick wrote: On 10/30/18 8:05 PM, Mario Theodoridis wrote: I ran into this problem as well. I ended up writing a script that parses the SPF entries out of the greylist and if reasonable, whitelists those ranges and removes the grey list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script? Thanks Kevin. That'd be one less wheel to invent. -- Mit freundlichen Grüßen/Best regards Mario Theodoridis
smtpd new "relay as" syntax?
I just upgraded to OpenBSD 6.4, and I'm trying to figure out how to do this with the new syntax: accept from local for any relay via smtp://smtp.domain.com as "@domain.com" This would rewrite the outbound message to masquerade as being from the TLD rather than a specific machine. Right now I've got: action local_relay relay host smtp.domain.com match from local for any action local_relay But this doesn't do the rewriting. The only thing I see in the man page talks about 'senders [masquerade]' which seems to be for authenticated users. Am I missing something obvious? Thanks...
Re: smtpd new "relay as" syntax?
On October 31, 2018 5:31:44 PM EDT, "Paul B. Henson" wrote: >I just upgraded to OpenBSD 6.4, and I'm trying to figure out how to do >this with the new syntax: > >accept from local for any relay via smtp://smtp.domain.com as >"@domain.com" > >This would rewrite the outbound message to masquerade as being from the >TLD rather than a specific machine. Right now I've got: > >action local_relay relay host smtp.domain.com >match from local for any action local_relay > >But this doesn't do the rewriting. The only thing I see in the man page >talks about 'senders [masquerade]' which seems to be for >authenticated users. > >Am I missing something obvious? > >Thanks... Mail-from in the action options, I believe.
Re: smtpd new "relay as" syntax?
On Wed, Oct 31, 2018 at 08:07:09PM -0400, TronDD wrote: > Mail-from in the action options, I believe. Ah, yes; that seems to work, thanks. The previous implementation was documented as: If the as parameter is specified, smtpd(8) will rewrite the sender advertised in the SMTP session. address may be a user, a domain prefixed with `@', or an email address, causing smtpd(8) to rewrite the user-part, the domain-part, or the entire address, respectively. whereas this just said: mail-from mailaddr Use mailaddr as the MAIL FROM address within the SMTP transaction. It wasn't clear it would do the same rewriting functionality, I thought at first it just took a single email address.
Which key shortcuts are safe to bind and some Q:s about history and OS diffs Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?
On Thursday, November 1, 2018 2:15 AM, Christian Weisgerber wrote: > On 2018-10-31, Stuart Henderson s...@spacehopper.org wrote: > > > No idea how ^4 is mapped to ^\, but for some reason it is, > > This goes back to the VT220, if not older terminals. Ctrl-3 for > ESC aka ^[ is particularly handy if the Esc key is in some inconvenient > place as on most PC keyboards. > > See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in > the VT220 Programmer Reference Manual: > https://vt100.net/docs/vt220-rm/table3-5.html Historial reasons, a ha. Ok so this relates to a whole universe of questions. Is there a lot of effectively-unused legacy handling logics for hardware that has not been manufactured for many decades, or is this central today also? Do unices e.g. OpenBSD/BSD, Linux, Solaris-whatever differ very much in how they handle terminals? Similar to how certain ctrl+ shortcut bindings are problematic, ESC is also problematic as terminals easily confuse it right, e.g. ESC and then rightarrow is easily confused for alt+rightarrow, right? So this means that key bindings in your favourite console program, be it KSH or TMUX or any other, better bind ctrl-shortcuts with great discernment only, as they tend to have hardcoded lower-level terminal behaviors so can't easily be preserved up to the tmux-etc. application level and customized there, maybe you get it to work in a particular setup but it would be fragile and maybe easily break when switching terminal software or what not. So binding ctrl+0-9 e.g. to switch windows is a bad idea. More general-purpose are alt+ shortcuts e.g. alt+0-9. Are shift+alt+-shortcuts, ctrl+shift+-, ctrl+alt+- shortcuts any good, or any other control char I may not have thought of? If I recall right, I did bind ctrl+0-9 successfully back in approx OpenBSD 6.2 last year, from the latest Putty terminal then. Did anything change in OpenBSD's terminal handling since then? Last on this topic, are there any relevant terminal server-side shortcut-related behaviors that can be tweaked in some environment variable or configuration file? Anyhow thanks for your comments, I think I kind of got the point about what's safe and not safe shortcuts to bind. If there are any further reading references or books on this topic feel free to share. Thanks, Tinker
